feat: web UI auth — login page, session store, Shell, TanStack Query #17
Reference in New Issue
Block a user
Delete Branch "dev"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
lib/api/client.ts):apiFetch+api.{get,post,del}with typedApiError{code,message,status}and auto-logout on 401 via dynamic import (breaks theapiFetch ↔ auth/storecycle).lib/auth/store.svelte.ts):user,bootstrap,login,logout— bootstrapped once in+layout.tsso refresh never flashes the login screen.<QueryClientProvider>at the root layout; queryClient is cleared on logout so the next user doesn't see stale data.lib/components/Shell.svelte): header with user-menu logout + sidebar nav (Library / Search / Playlists). Sidebar hides belowmd:; mobile nav is a later plan./login): typed error UX — "Invalid username or password" vs "Sign-in unavailable" — withreturnTosupport that blocks open-redirect vectors (//evil.com,http://evil.com,/login,../admin).+layout.sveltevia$effect— unauthed users are sent to/login?returnTo=…, authed users on/logingo to/./,/search,/playlistsso the sidebar works end-to-end before the real feature plans land.login.test.tsto avoid the+page.*SvelteKit route-walker collision.Test Plan
go test -short -race ./...passes (unchanged; backend untouched)golangci-lint run ./...cleancd web && npm run check→ 0 errors / 0 warningscd web && npm test→ 29 tests across 5 files passcd web && npm run buildsucceeds (adapter-static emitsweb/build/)docker build .builds; binary is-xin the final imagedocker compose up -d→POST /api/auth/loginreturns 200 +Set-Cookie: minstrel_session=...(verified with seeded admin user)